UK code of practice on data sharing launched
A new statutory code of practice designed to help public sector bodies share peoples personal information appropriately has been published by the Information Commissioners Office (ICO).
A new statutory code of practice designed to help public sector bodies share peoples personal information appropriately has been published by the Information Commissioners Office (ICO).
The new code, published on May 11, explains how the Data Protection Act 1998 applies to the sharing of personal data, as well as providing good practice advice.
The code covers activities such as:
the police passing information about the victim of a crime to a counselling charity;
the police and immigration authorities exchanging information about individuals thought to be involved in serious crime;
a primary school passing details about a child showing signs of harm to the police or social services;
a supermarket giving information about a customers purchases to the police.
It points out that with different organisations often using very different IT systems, with different hardware and software and different procedures for its use, it can be very difficult to join systems together in order to share personal data properly.
These technical issues need to be given due weight when deciding whether, or how, to share personal data, warns the code.
Another problem, it says, is that organisations may also record the same information in different ways. For example, a persons date of birth can be recorded in various formats that can lead to records being mismatched or becoming corrupted.
Before sharing information, the code recommends that organisations adopt a common way of recording key information, for example by deciding on a standard format for recording peoples names.
It adds that given the problems of interoperability that can arise, it is also good practice for organisations to require common data standards as part of their procurement exercises.
The document aims to provide organisations with a better understanding of when, whether and how personal information should be shared so that the risk of the inappropriate or insecure sharing of personal data will be reduced. It also aims to minimise risk of breaking the law and consequent enforcement action by the ICO or other regulators.
Information Commissioner Christopher Graham said that sharing data can play an important role in providing an efficient service.
However, he added that the public rightly want to remain in control of who is using their information and why and they need to feel confident that it is being kept safe.
The code of practice weve issued today offers a best practice approach that can be applied in all sectors, said Mr Graham. It reflects the constructive comments we received during the consultation period, meaning that we can be confident that it not only makes sense on paper but will also work in the real world too.
Id encourage all businesses and public bodies that share personal data to get to grips with the code without delay so they can be sure they are getting it right.
Case study
A group of police forces are cooperating with immigration officials to collect evidence about a number of individuals thought to be involved in people trafficking. This involves exchanging data about suspects whereabouts and activities:
There is no need to tell any of the suspects that personal data about them is being collected or exchanged. This is because doing so would tip off the suspects, allowing them to destroy evidence, prejudicing the likelihood of prosecution.
The police, or immigration agency, may still need to provide subject access to the data and explain their collection and sharing of the data, when doing so will no longer prejudice the prosecution.
The code of practice is available on the ICO website: http://www.ico.gov.uk/~/media/documents/library/Data_Protection/ Detailed_specialist_guides/data_sharing_code_of_practice.pdf